What Happened
CISA issued an urgent advisory on June 19, 2026, warning Fortinet customers to secure their devices after a sweeping credential theft campaign exposed management credentials for 86,644 Fortinet firewall and VPN devices worldwide. The campaign, dubbed FortiBleed by security researchers, was first uncovered by researcher Bob Diachenko, who found a server containing what appeared to be valid Fortinet VPN credentials including usernames, email addresses, and plaintext passwords.
The scale of the operation is significant. Threat actors processed over 1.16 billion credential attempts against more than 320,000 FortiGate targets and an additional 2.1 billion attempts against 163,650 Microsoft SQL Server instances. The campaign targeted internet-accessible Fortinet management interfaces globally, spanning 194 countries across government agencies and private-sector organizations. Attribution analysis points to Russian-speaking threat actors behind the operation.
SOCRadar data shows that generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) make up the majority of the compromised credentials. The exposure of default and built-in accounts signals widespread failure to complete basic Fortinet hardening steps that Fortinet itself has published since 2023. CISA’s advisory instructs organizations to immediately reset all device credentials, enable multi-factor authentication, disable management plane internet exposure where possible, and review access logs for evidence of unauthorized access.
Why This Matters for Canadian Organizations
Fortinet products — FortiGate firewalls, FortiVPN, and FortiManager — are pervasive across Canadian enterprise, government, healthcare, financial services, and critical infrastructure environments. The CCCS has previously named Fortinet appliances among the most targeted categories of perimeter infrastructure in advisories addressing nation-state and ransomware campaigns against Canadian networks.
Compromised Fortinet management credentials provide attackers with direct access to the network perimeter: firewall policy modification, VPN user enumeration, split tunnelling configuration changes, and in many cases, lateral movement paths into internal networks without triggering endpoint detection controls. For organizations with active FortiVPN deployments, credential compromise effectively bypasses the VPN entirely by giving attackers the same administrative view as your own network team.
Under OSFI Guideline B-13, federally regulated financial institutions are required to maintain continuous monitoring of third-party and perimeter access controls and to report material incidents. Credential compromise at the firewall management layer meets that threshold. Under PIPEDA, organizations must assess whether compromised Fortinet management access was used to reach systems processing personal information — and in most enterprise deployments, the answer is yes. Canada’s Bill C-26 Critical Cyber Systems Protection Act further underscores patching and hardening obligations for designated critical infrastructure operators whose Fortinet devices fall under the scope of protection requirements.
What to Do
Rotate all Fortinet management credentials immediately, including both local admin accounts and LDAP/RADIUS-integrated accounts used for device management. Do not limit rotation to the account you believe was exposed — rotate all management accounts on every Fortinet device in your environment.
Disable direct internet access to Fortinet management interfaces. Management access should go through a VPN or jump host, not directly from the public internet. If your FortiGate management plane is internet-accessible today, restrict it to specific source IPs at minimum and move to an out-of-band management network as a permanent fix.
Enable multi-factor authentication on all Fortinet administrative accounts. FortiGate supports hardware token, TOTP, and FortiToken authentication. Enable login failure alerting and set lockout thresholds to detect brute-force attempts.
Review FortiGate audit logs for the past 90 days for unauthorized logins, configuration changes, or new admin account creation. Pay specific attention to policy rule additions, VPN configuration modifications, and any changes to log forwarding or alert thresholds. If you identify signs of unauthorized access, treat this as a confirmed incident under your incident response plan and begin the PIPEDA breach risk assessment process.
Source: BleepingComputer / The Hacker News
